Encryption / Data Scrambling for user credentials for Web service call? -

Solar2D General Questions/Discussion
#1

See the attached file for a better overview.

Basically I have am creating a web service that I want my users Apps to call to get data ( data is not specific to any user it’s just analytical data that they will be available using in-app purchases on a device ).

The user will be required to have a user id and password ( or I could use and authenticated phone number as well ).

in any case I really do not like the thought of Open Text on a url - if a user is on a public wifi connection someone could sniff out their info and continue to use my service for free.

The web service would only be user id / password protected.

I wanted to get some thought on encrypting the id and password each time they make a call to the DB.

Thanks in advance - any thoughts and ideas would be appreciated!

Thanks

Larry

#2

Hi,

One thing you need to do is secure your endpoint with SSL. So your users would use https://api_endpoint/action. A service like Cloudflare can make this simple depending on the use case.

Instead of sending email and password each call, you should consider creating a “session” for a successful user login, returning a stored token that you can match up against your web service for verification during the course of the “session”.

Your greatest security will be the SSL transport, encrypted passwords, and closing unused ports. An https endpoint is going to be a must-have.

This might be helpful: https://store.coronalabs.com/plugin/openssl

The crypto library might be helpful as well. https://docs.coronalabs.com/api/library/crypto/index.html

Hope that helps.

Cheers.

#3

Thanks for the input.

I was totally going to use SSL, and I was also thinking abut the token but was still on the fence. so you just help me validate my thoughts.

thanks for the links as well, they are most helpful.

Looking at the hash ( hashes ) can be calculated differently based on Operating system and version ( I have seen this in the past ) We created a Hash Key computer (A) with say windows 2000 sp1 and then on a different server with sp2 where they upgraded or fixed something and the keys would no longer match. I have seen on Linux as well ( many moons ago ).

But I could create a Hash - store that on device and online Database and pass user id / hash value for verification.

Thanks

Larry

#4

Hi,

One thing you need to do is secure your endpoint with SSL. So your users would use https://api_endpoint/action. A service like Cloudflare can make this simple depending on the use case.

Instead of sending email and password each call, you should consider creating a “session” for a successful user login, returning a stored token that you can match up against your web service for verification during the course of the “session”.

Your greatest security will be the SSL transport, encrypted passwords, and closing unused ports. An https endpoint is going to be a must-have.

This might be helpful: https://store.coronalabs.com/plugin/openssl

The crypto library might be helpful as well. https://docs.coronalabs.com/api/library/crypto/index.html

Hope that helps.

Cheers.

#5

Thanks for the input.

I was totally going to use SSL, and I was also thinking abut the token but was still on the fence. so you just help me validate my thoughts.

thanks for the links as well, they are most helpful.

Looking at the hash ( hashes ) can be calculated differently based on Operating system and version ( I have seen this in the past ) We created a Hash Key computer (A) with say windows 2000 sp1 and then on a different server with sp2 where they upgraded or fixed something and the keys would no longer match. I have seen on Linux as well ( many moons ago ).

But I could create a Hash - store that on device and online Database and pass user id / hash value for verification.

Thanks

Larry